Chapter 13 Page 1 of 6

As it turned out, Lisa was right; I did like Agent Carter. The moment Lisa and I walked into his office I recognized him as the fidgety man who asked the easy questions at the table during my interrogation. He introduced himself to me with a broad smile and a firm handshake. He clapped his hand on my shoulder as he pumped my hand. Lisa was greeted in a similar manner. The unpleasantness of two days previous was furthest from his mind. He was determined to do all he could to drive those thoughts from my mind as well.

After pulling out two chairs in front of his desk and waiting for Lisa and I to be seated, Agent Carter circled around behind his desk. Without sitting down himself, he explained that he was taking the lead on this investigation and that I would be working with him. He went on to describe his background in detail.

Agent Jonny Carter joined the FBI straight out of college. He obtained his BS degree in Political Science from Georgetown University in Washington D.C. He grew up in Maryland, not far from Baltimore. He married young and he and his wife now have two children, both girls. He is now working in the division that handles computer crime, with an emphasis on banking. Agent Carter was quick to point out that there are other groups in the FBI that handle other aspects of computer crime such as mail fraud. His group concentrates on ATM crime, EFT crime, and other aspects of automated banking. This was already too wide a focus as far as he was concerned. Too many incidents and not enough investigators. Allowing some frustration to show, Jonny said that sometimes he feels that he alone is concerned with computer crime in the banking industry.

The number of actual computer crimes is far greater than police and FBI records show, explained Jonny, still standing behind his desk. He paced back and forth and fidgeted as he spoke. He explained that the number of reported cases is low partly because victems fear embarrassment in the press. For example, banks and other financial institutions are a favorite target for hackers. However, banks base their entire business on trust. Once customers begin to doubt the ability of a bank to protect their assets, the bank is in serious trouble. Every bank must factor the reduced customer base that results from embarrassing press coverage into any decisions concerning computer crimes. For example, suppose bank X fully expects to lose about $1 million per year in computer theft. How much should that bank spend to correct the problem? There are options available to the bank, such as installing firewalls and making wiser use of cryptography, but these cost money. On the face of it, it would seem that $5 million is quite reasonable; the bank can expect the solution to “pay for itself” within a few years. However, this fails to take into account the very real losses that result from admitting that there is a problem in the first place.

Fixing a problem requires first acknowledging that the problem exists. Acknowledging that a hacker problem exists results in a severe drop in public confidence. Once lost, public confidence is very hard to regain. It may take several years, even after the new remedies are in place. The loss is made all the worse if all other banks continue to deny the problem exists, thereby making the one honest bank appear to be sloppy and vulnerable when in fact exactly the opposite is true!

Lisa pointed out that the area that is most vulnereable is the Internet. Everybody is racing to move serious applications and businesses to the Internet and nobody is willing to wait for strong security to be incorporated into the Internet Protocol (IP). Instead, most proponents of Electronic Commerce prefer to downplay the risks and fool even themselves into complacency.

Agent Carter agreed. The Internet will never be free of hackers, he said. Even if stringent laws are passed protecting privacy and integrity on the net, without a technical solution that prevents such activity, we are reduced to relying upon deterants. And deterants alone are unlikely to solve the problem, no matter how harsh they may be. Students, being the free-spirits they are, young and anxious to learn through experimentation, will continue to tinker with the net in every manner they can.

I pointed out that it is hard to distinguish “innocent” probing from malicious hacks. For example, the traceroute command looks like a suspicious attempt to use source-routing for a man-in-the-middle attack. Often an apparent attack — one that sets off alarms in a firewall — is nothing more than an innocent mistake by a naive user who isn’t familiar with the application he or she is trying to run (e.g. a first-time user of telnet). This is one of the greatest challenges in firewall design.

“That’s right,” Jonny agreed. “I don’t know the technical details, but I can appreciate what you are saying Carl. This is what makes my job so tough.”

Jonny explained that it is not at all unusual today for a systems administrator to correct a problem when an attack occurs but not bother investigating the actual crime. Very few people make even a feable effort to find the culprits. It is simply too costly. It took Clifford Stoll the better part of a year to track down the hacker he first detected on the machines at Lawrence Berkeley labs in 1988. Tsutomu Shimomura succeeded in tracking down Kevin Mitnick in only a couple of months, but he had the help of numerous people and he himself worked on the case full-time (and even over-time) during those months. Shimomura was relentless. A corporation, faced with the option of spending many person-months pursuing an intruder, with a very real possibility that the culprit will turn out to be a prankster trying to impress his cronies or girlfriend, is more than likely going to choose to repair the damage and get back to the business of making money. Even a very diligent company, one that opts to pursue an intruder, is going to have difficulty enlisting the help of other companies and organizations. For example, if the intruder is traced back to a university, the systems administrators at that university are more than likely to be somewhat jaded; no doubt they recieve complaints about hacking on a regular basis.